public inbox for [email protected]
help / color / mirror / Atom feedFrom: Varik Matevosyan <[email protected]>
To: [email protected]
Subject: [PATCH] contrib/xml2: guard against signed integer overflow in parse_params
Date: Mon, 4 May 2026 15:26:50 +0400
Message-ID: <CA+bBooj48K08uKpAKyciPRdbOJ_5qCqz9nr2m2wzr8E5s102Hw@mail.gmail.com> (raw)
Hi,
Small robustness fix for contrib/xml2/parse_params. The doubling
of max_params relies on signed-integer overflow wrapping to a value
that AllocSizeIsValid then rejects, which is both UB and incidental
safety.
The overflow is unreachable in current builds (text input is bounded
by MaxAllocSize, which limits nparams below the doubling threshold),
but the fix is small and matches the explicit overflow-checking
idiom used elsewhere in the tree.
Patch attached against current master.
Regards,
Varik
Attachments:
[application/octet-stream] 0001-contrib-xml2-guard-against-signed-integer-overflow-i.patch (1.8K, 2-0001-contrib-xml2-guard-against-signed-integer-overflow-i.patch)
download | inline diff:
From ef1219a7e97525a42a21bc27f982fd9e2e9a2c30 Mon Sep 17 00:00:00 2001
From: Varik Matevosyan <[email protected]>
Date: Mon, 4 May 2026 10:53:05 +0000
Subject: [PATCH] contrib/xml2: guard against signed integer overflow in
parse_params
The doubling of max_params in parse_params relies on signed integer
overflow to wrap to a negative value that AllocSizeIsValid then
rejects, producing a clean ereport. This is incidental safety:
signed overflow is undefined per the C standard, and the graceful
ERROR depends on the wrapped value falling outside MaxAllocSize
after promotion to size_t.
In current builds the overflow is unreachable, since text input is
bounded by MaxAllocSize and that limits nparams below the doubling
threshold. Guard the multiplication anyway, matching the explicit
overflow-checking idiom used elsewhere in the tree.
---
contrib/xml2/xslt_proc.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/contrib/xml2/xslt_proc.c b/contrib/xml2/xslt_proc.c
index 8ceb8c46494..39116118663 100644
--- a/contrib/xml2/xslt_proc.c
+++ b/contrib/xml2/xslt_proc.c
@@ -7,6 +7,7 @@
*/
#include "postgres.h"
+#include "common/int.h"
#include "fmgr.h"
#include "utils/builtins.h"
#include "utils/xml.h"
@@ -216,6 +217,7 @@ parse_params(text *paramstr)
char *itsep = ",";
const char **params;
int max_params;
+ int new_max_params;
int nparams;
pstr = text_to_cstring(paramstr);
@@ -230,7 +232,12 @@ parse_params(text *paramstr)
{
if (nparams >= max_params)
{
- max_params *= 2;
+ if (pg_mul_s32_overflow(max_params, 2, &new_max_params))
+ ereport(ERROR,
+ (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
+ errmsg("too many XSLT parameters")));
+
+ max_params = new_max_params;
params = (const char **) repalloc(params,
(max_params + 1) * sizeof(char *));
}
--
2.43.0
view thread (2+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected]
Subject: Re: [PATCH] contrib/xml2: guard against signed integer overflow in parse_params
In-Reply-To: <CA+bBooj48K08uKpAKyciPRdbOJ_5qCqz9nr2m2wzr8E5s102Hw@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox